1. Unified Inventory and Topology Deployment Guide
  2. Configuring Authentication for Services

3 Configuring Authentication for Services

This chapter describes how to configure authentication for Unified Inventory and Topology services such as UIM, ATA, Message Bus, SmartSearch, and OpenSearch.

About Authentication

This section provides instructions for setting up Single Sign-On (SSO) authentication for Unified Inventory and Topology services.

These services implement the Single Sign-On (SSO) authentication solution using OIDC protocol from any supported Identity Provider (IdP), which enables you to seamlessly access multiple applications without being prompted to authenticate for each application separately. The main advantage of SSO is that you are authenticated only once, which is when you log in to the first application and then you are not required to authenticate again when you subsequently access different applications. However, these applications must be with the same (or lower) authentication level (as the first application) and opened within the same web browser session.

These services also support the Single Logout (SLO) feature. If you access multiple applications using SSO within the same web browser session, and then if you log out of any one of the applications, you are logged out of all the applications.

Note:

UIM requires an IdP that supports SAML 2.0 along with OIDC.

As UIM is a WebLogic application, it provides support only for SAML 2.0 protocol. For more information about how to enable authentication, see UIM Cloud Native Deployment Guide. OIDC is supported for all other services such as Message Bus, ATA, Authorization, SmartSearch and OpenSearch.

Ensure IdP users are assigned below groups for ATA access:

  • AtaAdministrator: This group has the privileges of Administrator and AdvancedUser roles. The users with this group can:
    • Create, view, and search topology graphs
    • Edit and delete all saved searches
    • Navigate to all summary pages
    • Create, view, edit, and delete icons and colors customization
  • AtaAdvancedUser: This group has the privileges of AdvancedUser role. The users with this group can:
    • Create, view, and search topology graphs
    • Edit and delete saved searches created by the corresponding user
    • Navigate to all summary pages

To configure authentication for all other services, perform the steps mentioned in the following sections:

Sample references are provided as Appendix, see the following content for the corresponding authentication type:

Adding Common OAuth Secret and ConfigMap

To add COMMON OAUTH secret and ConfigMap:

  1. Run the following command to create or update truststore by passing the Identity Provider SSL certificate:
    keytool -importcert -v -alias <param> -file <path to IDP cert file> -keystore <truststorename>.jks -storepass <password>

    A sample is as follows:

    keytool -importcert -v -alias idpcert -file identityprovidercert.pem -keystore truststore.jks -storepass ****

    Note:

    You must add the corresponding certificates for UIM and Identity Providers. If the Identity Provider and UIM certificates are not common, add both in the same truststore.
  2. Run the following script to create the OAuth configuration as secrets and ConfigMap:
    $COMMON_CNTK/scripts/manage-app-credentials.sh -p sr -i quick -f $SPEC_PATH/sr/quick/applications.yaml create oauthConfig

    Enter the values as prompted:

    Provide Oauth credentials  for   'sr-quick'   ...
Client Id: topologyClient #Provide Client ID
Client Secret: xxxxx #Provide Client Secret
Identity Provider Uri: <Identity-Provider-Uri>
Client Scope: <oauth-client-scope>  (if scope is not configured for oidc-client keep blank)
Client Audience: <oauth-client-audience> (if audience not configured for oidc-client keep blank)
Token Endpoint Uri: <token_endpoint_uri> #Provide oauth token endpoint URI
Valid Issue Uri: <valid issue uri> #Provide the valid issue URI
Introspection Endpoint Uri: <introspection_endpoint_uri> #Provide the Introspection Endpoint URI
JWKS Endpoint Uri: <JWKS_endpoint_uri> #Provide JWKS Endpoint URI
Cookie Name: <Cookie-Name>
Cookie Encryption Password: <Cookie-Encryption-Password>

Provide Truststore details ...
Certificate File Path (ex. ./idpcert.pem): ./commoncert.pem    #provide Certificate file path
Truststore File Path (ex. truststore.jks): ./commontrust.jks   #provide Truststore file path
Truststore Password: xxxx  #provide Truststore password

    Sample for IDCS is as follows:

    Provide Oauth credentials for 'sr-quick' ...
Client Id: xxxxxxxxxxxxx 
Client Secret: xxxx-xxxx-xxxx-xxxx
Identity Provider Uri: https://<IDCS URL>:443
Client Scope: https://quick.sr.topology.uim.org:30443/first_scope
Client Audience: https://quick.sr.topology.uim.org:30443/
Token Endpoint Uri: https://<IDCS URL>:443/oauth2/v1/token 
Valid Issue Uri: https://identity.oraclecloud.com/
Introspection Endpoint Uri: https://<IDCS URL>:443/oauth2/v1/introspect
JWKS Endpoint Uri: https://<IDCS URL>:443/admin/v1/SigningCert/jwk
Cookie Name: OIDC_SESSION
Cookie Encryption Password: <Cookie Encryption Password>

Provide Truststore details ...
Certificate File Path (ex. idpcert.pem): ./idpcert.pem #provide identity provider certificate to be used by Message Bus  
Truststore File Path (ex. truststore.jks): ./truststore.jks  
Truststore Password: xxxxx  #provide Truststore password

    Sample for OAM is as follows:

    Token Endpoint Uri: https://<instance>.<project>.ohs.<oam-host-suffix>:<port>/oauth2/rest/token #Provide oauth token endpoint URI
Valid Issue Uri: https:// <instance>.<project>.ohs .<oam-host-suffix>:<port>/oauth2 #Provide oauth valid issue URI
Introspection Endpoint Uri: https:// <instance>.<project>.ohs .<oam-host-suffix>:<port> /oauth2/rest/token/introspect #Provide Oauth Introspection Endpoint URI
JWKS Endpoint Uri: https://<instance>.<project>.ohs.<oam-host-suffix>:<port>/oauth2/rest/security #Provide JWKS Endpoint URI
  3. Verify the following:
    $kubectl get secret -n sr
sr-quick-oauth-credentials

$kubectl get cm -n sr
sr-quick-oauth-config-cm

Note:

The oauthConfig secret is used by both Message Bus and ATA applications. If you are creating them in different namespaces or instances, you need to create this secret in both namespaces or instances.

Common Configuration Options For all Services

You can provide configurations that are common across all services in the common-config.yaml file and run the commonConfig command.

You can use this option to provide any configuration for ATA (api, ui, impact-analysis-api) and Authorization service. The Mandatory Identity Provider configuration details are passed using oauthConfig secret. If you want to override that configuration or to supply any additional configuration, you can use this option.

Note:

Before running the command, make sure you copy common-config.yaml from $COMMON_CNTK/samples/credentials/common-config.yaml to $SPEC_PATH/<PROJECT>/<INSTANCE>/common/common-config.yaml. 
#In case of IDCS as IdP, you have to provide the following additional provider details
security:
  providers:
  - abac:
  - oidc:
  - idcs-role-mapper:
      multitenant: false #update this as per the IDCS instance used.
      oidc-config:
        client-id: "${security.properties.idp-client-id}"
        client-secret: "${security.properties.idp-client-secret}"
        identity-uri: "${security.properties.idp-uri}"
        audience: "${security.properties.idp-audience}"